CCleaner Server Was Compromised in Early July

Two versions of the highly popular Windows maintenance tool (32-bit CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191) were modified to distribute information stealing malware, and over 2 million users have been impacted by the incident. The infected binary was released on August 15 and remained undetected for four weeks.

CCleaner was developed by Piriform, which was acquired by anti-virus company Avast in July, 2017. After news of the infected installer broke on Monday, the security firm decided to step forward and clarify that the compromise likely happened before the July acquisition.

“Before we completed the acquisition, the bad actors were likely already in the process of hacking into the Piriform systems. The compromise may have started on July 3rd. The server was provisioned earlier in 2017 and the SSL certificate for the respective https communication had a timestamp of July 3, 2017,” an Avast blog post signed by Vince Steckler, CEO, and Ondrej Vlcek, CTO and EVP Consumer Business, reads.

The company also disclosed that they were warned of the infection by security company Morphisec, which says that it first encountered the malicious CCleaner installations on Aug. 20. However, it was only on Sept. 11 that Morphisec received logs from some of its customers and could start an investigation.

On Sept. 12, Morphisec warned Avast of the infection, and the latter was able to resolve the issue within 72 hours. By Sept. 15, the command and control server that the malware was contacting had been taken down and Piriform had already released a clean version of CCleaner.

Avast also claims that no actual harm was done to the impacted computers, despite the fact that 2.27 million users downloaded the infected application release, as the final payload in this attack never activated.

“About 30% of CCleaner users also run Avast security software, which enables us to analyze behavioral, traffic and file/registry data from those machines. Based on the analysis of this data, we believe that the second stage payload never activated, i.e. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary,” the company says.

CCleaner v5.34 and CCleaner Cloud v1.07.3214 have been released without the malicious code inside, and Avast says that only around 730,000 users are still running the affected version 5.33.6162 on their systems. The free CCleaner variant doesn’t include automatic updates, meaning that users need to manually download and install the clean version.

“We deeply understand the seriousness of the situation, as we do with all security threats. We regret the inconvenience experienced by Piriform’s customers. We plan to be issuing more updates on this as we go. We have made it our highest priority to properly investigate this unfortunate incident and to take all possible measures to ensure that it never happens again,” Avast also says.

Affected users are advised to update to the latest versions of CCleaner as soon as possible, to remove any malicious code from their computers.